Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

RSA 2048 is still the openssh default, i.e., best current advice from the openssh authors. The fact that this article's author labels that as "yellow" is a red flag.


I agree. It would be nice if the line:

> RSA 2048: yellow recommended to change

was followed by at least some link that explains why is it unsafe. Could anyone elaborate further?

UPDATE: there is now a link up in this thread, from the user fjarlq, which points to an NSA recommendation from 2015. The recommendation seems to be related to the need of having a "quantum computing resistant" key. But with quantum computing still in its infancy, how do we know which types of keys would be adequate?


Many theoretical aspects of quantum computing are well-understood, just as a lot of early work on computational complexity etc. predates the existence of (nonhuman) computers.


I think we don't know which one will be adequate but we do know that RSA won't be, hence the recommendation.


A ssh private key does not need to protect future secrets, it just signs an ephemeral challenge. So it doesn't really make sense to worry about future quantum crypto etc. I'd posit that even 1024 is probably still safe enough there (unless you have quite scary enemies targeting you in particular)

That is a concern for the DH key establishment though, that might be decrypted in future.


> That is a concern for the DH key establishment though, that might be decrypted in future.

If you're paranoid, configure your SSH server to only accept Curve25519-based key exchanges, only use AES with authenticated modes or CTR+ETM or chacha/poly1305, and only take ed25519 or long RSA authentication keys.

Assuming your clients are up to date it should work without any major impact. I also strongly recommend rejecting NIST "random" curves in your hostkey verification, better RSA or ed25519 than the current default of the somewhat questionable ECDSA-based keys.


Won't the quantum computer break the curve25519 key exchange?


Yes. This advice is incorrect with regards to quantum computers.


Yes, eventually, but there's a lot bigger concerns than quantum computers currently.


The same arguments were being made in some Reddit threads on the same post; I don't see any reason or new information to point towards RSA 2048 being a questionable or unreasonable choice.

If quantum computing becomes more accessible, there will be a quantum shift (forgive the pun) in how we secure our connections.


A shift of a very, very tiny yet discrete amount?


Not sure if you're just being sarcastic?

A quantum shift, or quantum leap, in common parlance borrows the discontinuity in energy levels in quantum physics as an analogy for a sudden change (compared to the continuous changes in classical descriptions of physical characteristics).

The size is not always part of the analogy except in that the "quantum shift" is far larger in all circumstances than the infinitesimal changes in classical systems. Relative to an infinitesimal the quantum is huge [analytically it is infinitely larger, but the metaphoric analogy doesn't stretch that far].

FWIW.


Yeah, I don't get it either.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: